Quantum protocols for the millionaire problem with a third party are trivial 
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Recently there were many quantum protocols devoted to solve the millionaire problem and private 
comparison problem by adding a semi-honest third party. But it will be shown here that once such 
an additional third party is introduced, the problems can easily be solved using classical protocols 
with the assistance of quantum key distribution. Therefore full quantum protocols seem unnecessary 
as they can hardly beat the feasibility and simplicity of these protocols. 
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I. INTRODUCTION 

The millionaire problem [l[ was originally a two-party 
secure computation problem, in which two millionaires, 
Alice and Bob, want to know which of them is richer 
without revealing their actual wealth. It is analogous 
to a more general problem whose goal is to compare two 
numbers a and b, without revealing any extra information 
on their values other than what can be inferred from 
the comparison result. There is also a variation called 
the socialist millionaire problem 0], in which Alice and 
Bob want to determine if their wealth a and b are equal, 
without disclosing any extra information on the values 
of a and b to each other. As typical examples of secure 
multi-party computation, these problems play essential 
roles in cryptography. They have many applications in e- 
commcrcc and data mining where people need to compare 
numbers which are confidential. 

Nevertheless, the original solutionflj to the problems 
needs to rely on oblivious transfer [3J, which is hard to 
achieve unconditional security even in quantum cryptog- 
raphy Therefore, people considered a relaxed set- 
ting of the problems which involves an additional semi- 
honest third party, generally called Trent (or TP). Trent 
communicates with Alice and Bob separately. He is re- 
garded as semi-honest because, on one hand, we study 
only the case where he executes the protocol faithfully, 
and loyally keeps the data he exchanges with one party 
secret from the other. That is, he will not try to spoil 
the protocol or help either Alice or Bob to cheat. On the 
other hand, he is not fully trustable as he may attempt 
to learn the values of a and b or the comparison result, by 
methods such as eavesdropping or intercepting the classi- 
cal and quantum channels between the other two parties, 
or faking the quantum states which look authentic to Al- 
ice and Bob while entangled with his ancillary systems 
that can provide him additional informations, etc. 

Under this setting, the problems become three-party 
cryptography, so that the existing impossibility proofs 
on two-party secure computations do not necessar- 
ily apply. Therefore, many quantum protocols were pro- 



posed. Jia et al. [9j proposed a solution to the millionaire 
problem, while the others [Tfj| - ir7| studied the socialist 
millionaire problem under the name "quantum private 
comparison" (QPC). 

In this paper, however, we will show that the problems 
become trivial once the third party is included, because 
there exists a simple solution which is basically classical 
protocols with the assistance of quantum key distribu- 
tion (QKD) [l8j]- On the contrary, all previous proto- 
cols for the millionaire problem and QPC require a much 
greater amount of quantum resources, such as entan- 
glement, quantum memory, joint measurements, decoy 
states, etc. Therefore they are all inferior in feasibility 
and simplicity. 

In the next section, we will propose our simple protocol 
for the millionaire problem, and prove its security. Then 
we will show in section 3 how to adapt the protocol for the 
QPC task. A detailed comparison between our proposal 
and previous protocols will be provided in section 4. 



II. SIMPLE PROTOCOL FOR THE 
MILLIONAIRE PROBLEM 

Suppose that Alice has a secret number a, and Bob has 
a secret number b. In this section we assume that the 
case a — b will never happen. Otherwise the comparison 
result will inevitably reveal the values of a and b to both 
parties, so that it will be impossible to reach the original 
goal of the millionaire problem, which requires the values 
to remain unrevealed. Note that previous protocol @ did 
not cover this case either. 

Under this consideration, to find out which one of a 
and b is larger with the help of a semi-honest third party 
Trent, our protocol goes as follows. 

Protocol PI: 

(1) Alice and Bob share two random numbers c and 
A (A ^ 0) through QKD. There is no restriction on the 
selection range of c and A as long as they are both real 
numbers. Their order of magnitude does not need to 
match that of a and b. They can be either positive or 
negative, and |A| can be either larger or smaller than 1. 

(2) Alice calculates 
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a = Xa + C, 



(1) 
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and sends a to Trent through QKD. 

(3) Bob calculates 

f3 = \b + c, (2) 

and sends j3 to Trent through QKD. 

(4) Trent calculates 

D = a-0, (3) 

and sets R = (R = 1) if D > (D < 0). Then he 
announces R to both Alice and Bob publicly. 

(5) Alice and Bob will both know the comparison result 
from A and R. If (— 1) R X > then the result is a > b, 
else a < b. 

In the above protocol, a, b, c and A are not limited to 
bits nor integers, and do not need to be written in binary 
representations. If Alice and Bob want to compare binary 
strings bit by bit, or to compare many pairs of large 
numbers, just as they do in previous protocols [9r|l7j, 
they can simply repeat our protocol many times. Note 
that if a and b are bits, then the comparison result will 
make Alice and Bob easily deduce the secret number of 
each other. But this situation is inevitable by nature of 
the millionaire problem and QPC, and also exists in all 
previous protocols [9l4l7|. 

The correctness of the protocol can easily be verified. 
By combining equations (JXJ) - ([3]), we have a — b = D / A. 
Since (— 1) R actually represents the sign of D, (—1) R A 
will have the same sign as that of a — &, and thus indicates 
which one of a and b is larger. 

A distinct feature of our protocol is that other than us- 
ing QKD to protect the communications between the par- 
ticipants, no more quantum method is involved. The rest 
parts of the protocol are completely classical. Therefore, 
given that QKD is unconditionally secure, the security 
proof of the protocol is simple elementary mathematics. 

From Trent's point of view, since the information ex- 
changed between Alice and Bob is secured by QKD, all 
the information Trent obtained in the protocol is merely 
the values of a and (3, and the fact that they satisfy the 
relationship described in equations ([1]) and ©. The val- 
ues of a, 6, c and A are not available directly to him. 
Since two equations are insufficient for determining four 
unknown variates, Trent will find that there could be in- 
finite solutions for a and b so that he cannot know which 
one is larger. 

In fact, suppose that there are u, v 7 cq and Ao satisfying 
a = A u + c , (4) 

and 

/3 = A w + c , (5) 
then it can be verified that they also satisfy 

a = (-\ )v + (a + f3-c ), (6) 



and 

P = {-X )u + (a + p - c ). (7) 

That is, no matter Alice and Bob take a — u, b = v, 
c = Co, A = Ao, or they take a — v, b — u, c ~ a + (3 ~ cq, 
A = — Ao, Trent will receive the same a and (3. Therefore, 
a > b and a < b will both make sense to him so that he 
cannot tell which is the actual comparison result. Thus 
the protocol is unconditionally secure against Trent. 

From Alice's point of view, since the information ex- 
changed between Bob and Trent is secured by QKD, she 
cannot know (3. Consequently, besides her own a, all the 
information she obtained in the protocol is merely the 
values of c, A and R. Here c and A are randomly chosen 
by her and Bob, which contain no information about b. 
Meanwhile, R carries I bit of information only. Accord- 
ing to information theory, this amount is insufficient to 
determine b as long as the number of possible values of 
b is more than 3. Therefore the protocol is also uncon- 
ditionally secure against Alice. The security against Bob 
can be proven similarly. 

III. QUANTUM PRIVATE COMPARISON 
PROTOCOLS 

When applying the above protocol directly for the so- 
cialist millionaire problem, a.k.a. quantum private com- 
parison (QPC), there will be a security loophole. That is, 
Trent can always know the comparison result (a — b or 
a ^ b) by checking whether there is D = 0. Note that this 
is also the case in the protocols proposed in [l3l - [l5j . But 
it is surely better if the loophole can be avoided. Here we 
show that this goal can indeed be achieved by repeating 
a slightly modified version of our above Protocol PI for 
many rounds, as described below. 

Protocol P2: 

Suppose that a and b are Alice's and Bob's secret num- 
bers, respectively, that they want to compare. For i = I 
to n, Alice and Bob compare a pair of and bi with 
the help of Trent using a process similar to Protocol PI, 
except that in step (4) of PI, Trent merely announces 
whether a and (3 are equal or not, without providing fur- 
ther information on which one is larger. Here, most of 
Alice's di's and Bob's 6,'s are randomly chosen by them- 
selves, except that in the i$-tYi round of the comparison, 
they take <ij = a and 6j = b. Also, in other m (m < n) 
rounds, they take a; = 6j = (i = i\, 12, i m )- The val- 
ues of io, ii, %2, i m an d rn are all decided and shared 
by Alice and Bob through QKD, and kept secret from 
Trent. 

The correctness and security of this protocol is also 
obvious. With the result Trent announced in the io-th 
round, Alice and Bob can surely know whether a and b 
are equal. Meanwhile, Trent has not announced which 
one of a and (3 is larger. Therefore in the case a =/= b, 
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Alice and Bob cannot deduce whether a > b and a < b 
like they did in step (5) of the original Protocol PI, so 
that no further information on a and b is leaked to them. 
From Trent's point of view, no matter a — b or a =/= b, 
he will find = bi in some rounds of the comparison 
in P2. He has no idea whether these rounds include a 
and 6, as the values of «o and m are protected by the 
QKD process between Alice and Bob. Given that QKD is 
unconditionally secure, we achieve the goal that the final 
comparison between a and b is kept secret from Trent. 
Again, no other quantum methods are required besides 
QKD. 



IV. COMPARISON BETWEEN EXISTING 
PROTOCOLS 

We summarized the comparison between our above 
proposal and previous protocols in Table I. Note that 
only the one in Q and our Protocol PI deal with the 
original millionaire problem, i.e., finding the larger one 
among a and b. The rest are all QPC protocols, which 
only compare whether a and b (or X and Y) are equal, 
without judging which one is larger. Also, [12| pointed 
out that the original protocol in EH is insecure, and 
proposed the corresponding solution. Thus we treated 
Refs. fToj - f]~2| ] as one protocol in Table I. Similarly, [lil 
pointed out the security loopholes of the protocol in [13| , 
and suggested two improvements, with one of them mak- 
ing use of the decoy state method. Thus we treated 
[l3l [T3 ] as one protocol in Table I, and listed "decoy 
states" as "optional". 

On the security aspect, as shown above, our Protocols 
PI and P2 satisfy the security requirements of the orig- 
inal millionaire problem and QPC, respectively. On the 
contrary, even though all previous protocols [9h17| can 
prevent Trent from knowing the exact values of a and b, 
they still leak extra information to either Trent or Alice 
and Bob. In the protocol for the millionaire problem in 
@, Trent always knows \a — b\, while the QPC protocols 
in [l3l - fl5l | have the problem that Trent knows whether 
a = b or not. The rest QPC protocols [IM3, El, Ezl is 
secure against Trent, but besides the comparison result 
(a = 6 or a ^ 6), Alice and Bob will still obtain an extra 
amount of information on a and 6, as elaborated below. 

In the QPC protocol in [ToWl^. Alice and Bob first 
express a and b in binary representations as a — 
a^a<- 2 \..a^... and b = b^b™ ... (<z«,6» G {0,1} 
for all z's), respectively, then compare each pair of the 
bits and fcW [i = 1 5 2, ...) one by one with the help of 
Trent. If all pairs of qW and b^ turn out to be equal then 
they know that a = b. But once they find a difference 
pair (e.g., a^ 10 ' =i b^ 10 ') which indicates that a ^ b, they 
should immediately abort the procedure without further 
comparing the rest a^'s and 6^''s. In this case, only 
the first few bits of a and b are known to be aW = &w 
(i = 1, 2, ...,i -l) and ^ b^ l °\ This is insufficient to 
determine the exact values of a and b. However, Bob (Al- 



ice) will know the exact values of the first ig bits of a (&), 
i.e., they both gain i$ (io > 1) bits of information about 
a and b. Since ig > 1 occurs with a non-vanishing prob- 
ability, the average amount of information gained will be 
larger than, and unequal to 1 bit. Note that in (Iol - [T^ |. 
Alice's and Bob's actual secret numbers that they want 
to compare are X and Y, respectively, while a = H(X) 
and b = H(Y) are their corresponding hash values, where 
H is a secret hash function they share beforehand. Nev- 
ertheless, since a good hash function is a 1-to-l mapping 
between X and a (Y and b), knowing the first iq bits of a 
(b) means that the possible choices of the value of X (Y) 
will be limited to those whose hash values start with the 
bits (b^), i — 1,2, ...,io- That is, there are also io 
bits of information about X (Y) become known to Bob 
(Alice) . The use of the hash function merely changes the 
type of the information leaked, while the amount of this 
information remains the same. 

The protocols in (l6l . E3] leak extra information to Al- 
ice and Bob too. After calculating R in equation (15) 
of [H| or equation (9) of 0, if R ^ 0, Alice and Bob 
will not only know that X ^ Y, but also know that 
the number of different bits in the binary representa- 
tion of X and Y is exactly R. Therefore, the num- 
ber of the possible choices of the value of Y (X) will 

where N is the length of the bi- 



be limited to 



R 



nary representation of X and Y . Before the comparison, 
the number of choices was 2 N . Thus the amount of in- 
formation leaked to each of Alice and Bob is I(R) = 



N 



N - log 



N 



If all values 



log 2 2 N - log 2 

\ / \ / 

of X and Y occur with equal probabilities, the probabil- 
ity for them to have R different bits will be prob(R) = 

( N ^ 



R 



/2 . Considering that X ^ Y happens with the 



probability p = (2 N — l)/2 N , when it indeed happened, 
the average amount of information leaked to each of Al- 
ice and Bob will be / = (1/p) E^i^ ^) ' I ( R ) = 

N ELi ( ^ J l°g 2 ( ^ )]/(2" - 1) > 1. That is, 

knowing the value of R makes Alice and Bob each gain 
more than 1 bit of extra information from these proto- 
cols. 

Thus we see that all previous protocols [9T-[l7| leak 
extra information to the parties. Ours PI and P2 win 
hands-down in this category as there is absolutely zero 
information leaked. 

But more significantly, on the feasibility aspect, all 
previous protocols [9h17| require much more quantum re- 
sources than ours. First, they all have to rely on quantum 
entanglement. To compare two numbers a and b satisfy- 
ing 1 < a, b < N, the protocol in [§] even requires the use 
of 2iV-level entangled states. Secondly, quantum mem- 
ory (at least short-term one) is also required in all these 
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TABLE I: Comparison between our protocols PI, P2 and existing millionaire problem and QPC protocols in [9T-[l7l]. All the 
blank spaces mean "no". 

Ref.[9j's Our PI Rcfs. [10-12] 's Refs.[13, 141 's Ref.[15]'s Ref.[16]'s Ref.[17]'s Our P2 



Alice/Bob's extra info. 






> 1 bit 






> 1 bit 


> 1 bit 


Trent knows the result 


partial 






Yes 


Yes 






entanglement 


Yes 




Yes 


Yes 


Yes 


Yes 


Yes 


quantum memory 


Yes 




Yes 


Yes 


Yes 


Yes 


Yes 


joint measurements 


Yes 




Yes 








Yes 


decoy states 


Yes 




Yes 


optional 


Yes 






QKD 


Yes 


Yes 


Yes 






Yes 


Yes 



protocols, as there are always some parts of the quantum 
states which cannot be measured immediately once they 
are received, because the participants cannot determine 
the measurement basis, until they receive some necessary 
announcement from other parties. Thirdly, some proto- 
cols [9rli~2l 03 require the use of joint measurements on 
multi-particle states. All these technical requirements 
seriously lower the feasibility of the protocols. Further- 
more, the decoy state method is sometimes adopted [§- 
EH H EH], which requires a large amount of quantum 
transmission and thus reduces the efficiency of the pro- 
tocols. Even so, some proposals [H-El, EE E3 s ^ involve 
QKD as parts of the protocols. On the contrary, in our 
protocols, rather than using QKD to transmit classical 
information, no other quantum states and operations are 
required. Since there exists QKD protocol [18j in which 
entanglement and quantum memory are not necessary, 
our protocols surpass all previous proposals, and is read- 



ily feasible with currently available technology. 



V. SUMMARY 

Thus we show that with the presence of the semi- 
honest third party, the millionaire problem and QPC can 
be solved with simple protocols which require QKD as 
the only quantum resource. Therefore, quantum pro- 
tocols requiring entanglement, quantum memory, joint 
measurements, etc., are all inferior in feasibility and sim- 
plicity, and are unnecessary for the problem. 
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